Page 1 of 1

[SOLVED] Selinux blocks sshd from reading authorized_keys fi

Posted: 2013/03/11 18:19:32
by scarville
I am setting up a new web server using 64 bit CentOS6. One of the requirements is that certain users must be able push updates to /var/www/etc/.. on this server. I manage this on the CentOS5 boxes using the authorized_keys file but the same trick doesn't work on the CentOS6 box.

The generic user is called wwwadmin and is a member of group apache.


All the permissions look correct

# ls -ldZ /var/www/.ssh

drwx------. wwwadmin apache unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/.ssh

# ls -ldZ /var/www/.ssh/authorized_keys
-rw-r-----. wwwadmin apache unconfined_u:object_r:httpd_sys_content_t:s0 /var/www/.ssh/authorized_keys

(I also tried setting the perms on authorized_keys to 0600 with no luck.)

/var/log/messages reports:

Mar 11 10:19:16 drum setroubleshoot: SELinux is preventing /usr/sbin/sshd from open access on the file authorized_keys. For complete SELinux messages. run sealert -l ecaf5381-38d4-40da-b08f-525a1f14aa77

I check it with sealert

# sealert -l ecaf5381-38d4-40da-b08f-525a1f14aa77
SELinux is preventing /usr/sbin/sshd from open access on the file authorized_keys.

***** Plugin catchall (100. confidence) suggests ***************************

If you believe that sshd should be allowed open access on the authorized_keys file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
allow this access for now by executing:
# grep sshd /var/log/audit/audit.log | audit2allow -M mypol
# semodule -i mypol.pp

When I ask audit2allow to make a suggestion, it look like the read access is already granted!

# grep sshd /var/log/audit/audit.log | audit2allow

#============= sshd_t ==============
allow sshd_t httpd_sys_content_t:file open;
#!!!! This avc is allowed in the current policy

allow sshd_t httpd_sys_content_t:file read;

I tried restorecon -r /var/www/.ssh but no luck there either.



[Solved] Selinux blocks sshd from reading authorized_keys file

Posted: 2013/03/11 20:24:00
by scarville
Changed the context on .ssh and .ssh/authorized_keys to: system_u:object_r:usr_t:s0.

Changed context on /var/www to: unconfined_u:object_r:user_home_dir_t:s0

The second change is so xauth can create .Xauthority.